Billy Mitchell was an iconoclastic American military airman from the early 20th century. He was a firm believer in military air power and was ordered court-martialed in 1925 by President Calvin Coolidge for criticizing his military superiors over the issue. My kind of guy. Gary Cooper played Mitchell in a 1955 movie, by which time everyone knew he had been right all along. My fear is that when it comes to cyber warfare there is no Billy Mitchell today in Washington.

Cyber warfare was big news last week. President Obama said he would name a cyber warfare czar to be a single point of contact on the issue for his Administration and that person would have direct access to the President.

If only that were true, but it isn’t, and the U.S. will be endangered as a result.

Billy Mitchell’s argument was that aircraft would come to play a huge role in modern warfare, supplanting battleships at sea and artillery on the ground. Air power was so important, Mitchell argued, that there should be a single air service to develop and deploy aircraft as needed in any war. This still hasn’t fully happened, of course, though Mitchell’s work did directly lead to the creation of the U.S. Air Force in 1947 — 22 years and one world war after his court-martial for suggesting it in the first place.

The problem with Obama’s cyber czar is that the Administration is CALLING the position a priority but not MAKING it one. The position has in some accounts been called a “member” of the National Security Council, but the czar is also said to “report” to both the Director of National Intelligence and to the President’s Senior Economic Adviser. Well you can’t be ON the council and also REPORT to those guys — one of whom is on the council and the other is allowed to drop in if he feels like it.

In short, this is an NSC staff job.

Obama said the czar would have “direct access” to him, but didn’t say how. At best I think they’ll pass in the corridor.

This is no czar. That’s literally the case, of course, because nobody has yet been hired for the job. But it is also the case that the job will — as the NSC is organized — not have the power needed to do what must be done. Czars are dictators; this guy can only recommend and even then he’ll be recommending to people who may not then bother to inform the President.

If the cyber warfare czar is, in fact, a czar, the first thing he or she should do is give himself a promotion, which won’t happen.

In the meantime there are competing interests at the Department of Defense, the National Security Agency, the CIA, the Department of Homeland Security, the Department of Justice, and possibly elsewhere. Each of these agencies is building its own cyber warfare capability, each with a different agenda both stated and real. The stated agendas are to play either cyber defense or offense. The actual agendas are to protect departmental turf from the new cyber warfare czar, to undermine him or her.

Let’s go back to Billy Mitchell for a moment and think about how the technology of aerial warfare came to be in his era. Most of the military services developed their own air capability as lip service to the idea while actually protecting major — and antiquated — weapon systems. The U.S. Navy bought some planes and built some aircraft carriers, but not at the expense of battleships. Even when naval air power came to the fore during World War II it was almost an accident, since the only surviving capital ships in the Pacific after the attack on Pearl Harbor were aircraft carriers, the battleships having for the most part been destroyed. So the Navy had to rely on air power since that’s the only power it still had.

They weren’t smart at all, just lucky.

It is rare in U.S. military history for a technological innovation to come down on our side. That’s because as self-designated good guys we are generally playing defense and defense doesn’t usually get the cool new toys. It’s only in the U.S. development of nuclear weapons that we got a jump on the rest of the world — a jump that put us firmly in control for half a century (now past).

We are woefully unprepared for cyber warfare mainly because the military doesn’t want to lose funding for its other weapons — weapons that are likely to be rendered unusable or, worse still, actually used against us in a cyber attack.

Yes, it is that bad.

The best position here is to make cyber warfare a real priority, give the cyber czar some actual authority, and have him or her report to the President. Otherwise the lessons of Billy Mitchell will have been forgotten and our first cyber war could be our last.

59 Comments

The worst reason to appoint a “czar” is that we have czars for many, many things that never got fixed and never will. It’s a feelgood tactic, designed to give everyone the illusion that someone is in control, when in reality all the President has done is insulated himself with political ballast he can cut if things get worse.

Oh… it’s writing like this that gets me in trouble for laughing out loud from my acre of the cube farm: “The stated agendas are to play either cyber defense or offense. The actual agendas are to protect departmental turf from the new cyber warfare czar, to undermine him or her.”

You’re on the right track, but it’s actually worse than you suspect. In my work with DOD, I occasionally get a “peek under the tent” at some of the issues that are really vexing the department. One of those is cyber-security. Not just the run-of-the-mill variety, (including malware, etc.) but genuinely sophisticated “warfare” aimed at the security and defense infrastructure of the DOD and the U.S. generally.

Among the new policies that are in place these days is one that prohibits the use of flash memory drives. Its not because they might contain a virus loaded from another computer, but rather that the memory itself might contain malware installed during chip fabrication. And, that’s just the tip of the iceberg….

cretus
June 4, 2009 at 8:30 am

No problem, we can outsource this and save a bundle!

Ben
June 1, 2009 at 12:52 pm

Bob: maybe it should be you.

Kevin Kunreuther
June 1, 2009 at 1:15 pm

You’re right, we will get creamed, thousands, if not millions of civilians will get hurt and die. Billions for Detroit and the banks but not one lousy Lincoln penny for internet cyberwarfare preparedness.
Eh, not too sexy sounding, but true. I wonder if it will be done the old fashioned way (EMP over North America or Europe) or a genuine cyber attack?

David
June 1, 2009 at 1:20 pm

Bob,

Having been a pilot and being a military history buff, I have burned a candle for Mitchell since my early teens in Civil Air Patrol. Air power was decisive in WWII and Mitchell takes much of the credit for the capabilities we had entering that war.

However, the war on both sides of the world was won with crypto. It is unlikely that we would have sent 4 Japanese carriers to the bottom at Midway if we where not able to ambush their ambush. This only makes your point more focused.

While most military operational systems, such as Aegis, are, rightly, disconnected from any network, the real risk in cyberwarfare is in intelligence compromise which given the crushing defeat we handed out in WWII with the right intelligence, it is surprising that this point needs to be made all. They do teach this stuff at the academies, right?

Flowing from history, and by evidence to the job postings you see around DC over the last 10 years, I suspect offensive Cybersecurity operations are much healthier and much more secret than defensive ones.

Thanks for the article.

David

Johnv2
June 2, 2009 at 6:59 pm

Yeah, and look what the Navy did to the poor sap who actually figured out that the Japanese Navy had designs on Midway. Ask Mr. Google about Joseph Rochefort.

StewBaby
June 5, 2009 at 7:40 am

And let’s not forget about ‘Enigma’ and Bletchley Park.
Without them UK would have lost the battle of the Atlanic.
Allied commanders were given ‘Ultra’ information about
German attacks and intentions, etc..

Another visionary of the pre war years was Fuller, but the
US, UK, France , etc ignored his ideas while Germany didn’t,
which lead to the ‘Blitzkrieg’

ECF
June 1, 2009 at 1:35 pm

Very well said!
I would mention the possibility that American intelligence and the government knew of the attack in advance but that they let it happen to have a bloody shirt to wave ( hello 9/11…).

sorry for the O.T. and yes, I know; I’m a traitor !

@Bob: Ben might be right…

David W.
June 1, 2009 at 1:44 pm

Irony of ironies: The Japanese who practically destroyed the U.S. navy with a single attack on Peal Harbor didn’t even understand the importance of air power themselves. They spent a ton of money on battleships including the Yamato, the largest battleship ever built.

Its first battle was the Battle of Midway, but ended up withdrawing due to air attacks and the loss of four Japanese aircraft carriers. It spend most of the war running from harbor to harbor in order to keep from getting bombed by air craft. It also used too much fuel to be actively used.

It was later used in battle in 1945 when the Japanese were desperate to throw everything they had against the Americans. It was immediately attacked and sunk in battle.

Peter M.
June 1, 2009 at 2:16 pm

We have to make cybersecurity sexy. You have to create some sort of virtualized battlefield where you can show off your cyber tools of war. Otherwise they will continue to spend the money on a weapon that can destroy a tank 15 miles away with the push of a button.

The sad fact is that everything in American society is relative. Even our justice system operates on the notion of precedent instead of one of absolute truth.

In as much, the mere fact that Obama is calling for someone to address the problem at all is progress when compared with the way in which the nincompoops of the previous administration ignored the problem completely. Nobody cares if you’re actually doing something about the problem as long as you are better than the next guy. This is how progress is perceived in the USA.

Arguing in absolute terms is the right thing to do. Unfortunately, you’re not in Europe. You’re in the USA.

As someone who marched to Mitchell Hall for 4 years, thanks for remembering him. And he’s appropos to the current discussion. After a short career in the AF and a long career in the defense industry, I would suggest that the power and authority of this new cyber position will be directly proportional to the power and influence of the industrial powers who will come to depend on it for their growth. Either you’re in the military industrial complex, or you’re not. If you’re in the military virtual complex … so’s your power … virtual.

bruno
June 1, 2009 at 3:55 pm

It’s a management problem. Corporate BS redux. How many times has a CEO paid lip service to the “strategic imperative” of IT and then directed the CIO to report to the CFO (who is almost universally clueless and was probably hired away from the PC, EY, KPMG, DTT firm that handles the audit?) That never works. The CEO wants to impress the analysts and press but doesn’t care to rub shoulders with the nerds he has to call when his “thingy” doesn’t work with his “flapperdoodle.”

David
June 1, 2009 at 6:14 pm

Bob,

The Japanese seriously damaged many ships at Pearl Harbor, but few were destroyed–the battleships Oklahoma and Arizona were total losses, but the others were re-floated (where necessary), repaired, and returned to service during the war. The Japanese were sufficiently confident in naval air power that the main purpose of their attack was to take out as many American carriers as possible. They knew they could not win a protracted war with the US; destroying a major portion of America’s naval air power was their best shot to delay a counterattack as long as possible. Unfortunately for them, all of the American carriers were out to sea. The Japanese proceeded with the attack anyway and awoke “the sleeping giant.”

John
June 1, 2009 at 6:27 pm

I feel like disagreeing with Bob this time.

I do agree the cybersecurity czar could, should have more executive clout.

I think the cybersecurity czar is a noteworthy first step. I try to spend an hour or so each week researching a few news stories. I found out there has been a recommendation for the White House to create such a position for the last 6 years. The recommendation was ignored by the previous administration. I could go into a discussion of a number of things that were ignored over the last several years, its a pretty scary list. Given the fact SOMETHING was done and in the first few months of the new administration is positive step.

I get at least 100 spam messages a day. My mail service is pretty good and filters out most of them. I occasionally examine them and find all sorts of pfishing attempts, links to questionable sites with questionable domain registrations, really rude content, etc. There has been a lot of talk about fixing email, but not many results. A cybersecurity czar could make a difference. He could press the big email carriers to come up with a more secure system and implement it quickly. At a diplomatic level he can encourage other countries to press their ISP’s to clean up their act. As soon as there is a serious effort underway to clean up things, then it will become easier to block email and traffic with rouge nations and ISP’s. Most countries want the Internet. If the world starts clean up their Internet act, the incentive will be there for everyone to do so or be cut off.

I manage a web hosting facility. I see a lot of companies and many government sites are still doing stupid stuff. There are best practices for network design and Internet connectivity. The USA retail industry is in the process of implementing the PCI security standards. This is an example of good “best practices.” If the cybersecurity czar mandated similar rules for military and government networks and Internet sites, it would help.

These two items if implemented would make a big improvement.

Previous administrations sometimes appointed figure-heads to government positions. They really were not qualified for the job and accomplished very little, if anything. If the cybersecurity czar is a figure-head, then Bob is right and I am wrong. Maybe this time we have a serious appointment and he is expected to show results. This seems to be an administration who expects results. So maybe it is a good first start. Maybe in a few years the office will be expanded and elevated in importance. We’ll see.

Ron
June 1, 2009 at 7:28 pm

I vote for Steve Gibson to be the czar.

Shannon
June 2, 2009 at 10:38 am

I don’t think Steve Gibson would be a good Cyber Zsar, but I do think Steve should be the go-to guy for the Cyber Zsar. Here’s how I’d structure the Cyber Zsar hierarchy:

I’m sorry, but I fail to understand at what point a system or any (military or otherwise) system requires to be on the Internet.

If a Czar is required, it should be someone who has the authority to set policy, order the shutdown of bot nets by having the zombie PCs disconnected (not like it’s rocket science to figure out who’s PCs are spewing spam), or forcing companies to play nice with the protocals that drive the net.

The Czar is not required because the Marines put a ship in the water running Windows and their service members can Twitter that they’re firing the big guns, or surf LOLCats (Can I Has State Seekrets?) or blog about their march into some 3rd world capital?

And anything that is required (power grid, water, gas, etc.) should remain completely off the net and the two shall never meet.

But, but, but… That CTO guy, Kundra, wants to do all this web2.0/3.0 Cloudy stuff. How can he do that if the Cyber Czar tells him he can’t have all those shiny new toys? I mean, Cloudy stuff is so Now. Security stuff, like keeping important machines off the ‘Net is so, well, 1980s. Sheesh. You’re no fun.

Tim
June 2, 2009 at 5:09 am

I suppose they’ll ask for a solution that doesn’t involve an unfamiliar OS, won’t ask them to run updates or ask them to stay away from questionable pages. We are so screwed.

Tim W
June 2, 2009 at 6:00 am

My concern would not be centered on email or spam but other areas. Most of our smart weapons rely on GPS and other systems. Many contain external control capability. Can these be compromised?

Our nations electrical grid is connected electronically. There are confirmed probing attacks into these systems. What could a properly coordinated trojan widely spread into the grid controls do to this country? The results could be very significant.

Not just our “smart weapons” – the Air Force eliminated navigators from most planes several years back and the Navy stopped training people how to use anything but GPS. The military does have some backup plans, but I’m not sure how thorough they really are.

Stephen J
June 2, 2009 at 10:41 am

One way to prevent our military from being crippled by a cyber attack would be to require isolation of the computers and networks involved in battlefield and logistics from the internet.

How about less reliance on computer technology on the battlefield?

After all, isn’t that how the Cylons wiped out Caprica?

John
June 3, 2009 at 5:49 am

In the Terminator series of movies, it is also how the machines took over the world to the detriment of the human race.

Petey Wheatstraw
June 2, 2009 at 6:52 pm

Show me your experimental results that demonstrate that an attacker can take down a ballistic missile site or prevent the Pacific fleet from leaving Pearl.

Until then you are only a wannabe vendor spreading FUD.
This industry already has way too much Dancho to be credible.

I think you nailed it Petey. I hereby challenge the thousands of super-eggheads and billions of dollars in assets controlled by the defense and technology companies who would love to get a piece of the $800 billion pie being served up by Obama’s administration to launch a credible attack on America’s cyber security. Something that the man in the street can understand. If they can’t do it, then this is all bs.

Wanting to be anonymous for obvious reasons
July 4, 2009 at 5:42 pm

How about taking out a large part of the electricity grid for a few hours by attacking the management systems of power plants? That can be done. The vulnerabilities there are pretty well known.

Jesse S.
June 3, 2009 at 5:46 am

Why use the term “cyber warfare”? That term is poison and all it is going to do is make generals, tax payers and elected officials wonder why we don’t have the massive, darkened room with terminals, overhead displays and a hierarchy of bespeckled military personnel. Why promote stupidity? The real terms for it are total war and real politik, both very total and very real.

We have already seen it with Russia and Georgia and if the US and Russia were to engage each other, it would be the Russians who had the bomb while the US was sitting around wondering if it was all about rubber bands and Elmer’s glue.

To ponder the question is to accept hopelessness.

Petey Wheatstraw
June 3, 2009 at 5:58 am

“We have already seen it with Russia and Georgia and if the US and Russia were to engage each other, it would be the Russians who had the bomb while the US was sitting around wondering if it was all about rubber bands and Elmer’s glue.”

Wrong. We did not “see” cyber war with Georgia or any demonstration of an effective capability. Georgia only demonstrated that the Russians know how to do IO, but they have been doing IO in the modern sense for decades.

David
June 3, 2009 at 11:25 am

Folks. The risk from the internet, for the most part, is not directly operational, but intelligence and to a lesser degree sabotage of civilian systems. Intelligence wins wars.

There are technical IT related risks to isolated networks (non-internet).

The operational risks have more to do with the compromise of components in the manufacturing cycle. There is a company in China making Cisco router clones that are almost impossible to identify. Such devices could be a Trojan horse into secure systems that create back doors, or fail on a kill signal/condition. How many components in TS systems are made in China?

What I would love to see is “Cyber warfare national guard.” I have an old computer that I need to check on and update every now and then. I wouldn’t mind giving the reigns over to the government, it would continue to function as a web server, but they could use it for whatever they wanted.

Just imagine a volunteer USA Botnet.

Tim K
June 7, 2009 at 7:13 am

Okay, I’m one of these guys who is not uber technical. If I drag my pc to the coffee house, I can hit a mechanical button and I’m on the internet. I can down load the page I want to look at, then hit the button again and I’m off the network.

In my apartment, which is kind of an extended stay place, so I take what they give me, I have a wire coming out of the wall. To acheive the same effect I have to plug in and plug out the wire.

What I’d rather have is a mechanical switch like the wireless button I have for disconnecting and connecting myself to the internet on the fly.

In fact, the web browsers we have should have a setting that allows the machine to do that automatically.

I’m off the net, until I click on something, then it bursts onto the net to retrieve data, when it’s done it electro-mechanically switches me off the network until I make another request.

If I want full time, always on the net, I should have a setting for that too.

This all leads towards a more intelligent browser.

Tim K
June 7, 2009 at 7:20 am

Oh, and my point in all that is that machines shouldn’t be left on the internet – whether they are military or the machine in your bedroom at home – unless there’s a specific reason. Most of the time online, I am really looking at a page that was downloaded in a short period burst.

I realize that this won’t stop a lot of virus’s but it could, in the aggregate, have an impact on a lot of other kinds of mayhem.

[…] the creation of a “Cyber Czar,” a scary doublespeek title that will amount to little. No one seems able even to decide who he will report to. This position is important enough that it should almost be a fifth branch of the military, if that […]

A Billy Mitchell is not needed. In fact the presence of a cyberwar Billy Mitchell would be more dangerous for this nation than his absence. Extending the war metaphor to conflicts taking place in cyberspace is not simply flawed, it is dangerous.

Consider the idea of war, what is it? Clausewitz said it was the “continuation of political intercourse, carried on with other means”. What he meant was when political intercourse and diplomacy broke down war was the tool used to resolve the political argument. Think about that. What would be the threshold that would differentiate continued political intercourse from the failure of political intercourse that precipitates war in cyberspace?

To expand on this consider the recent Iranian ‘cyberwar’. This cyberwar was described by most commentators as consisting of Iranians using new technologies to communicate about their efforts at resisting a discredited election. A related component of this cyberwar was people outside of Iran attempting to help Iranians with their communications. This meets the Clauzewitzian threshold for continuation of political intercourse but what was it in reality? It was free speech. And the political power could legitimately claim to be fighting a cyberwar by suppressing their political opponents freedom of speech.

Without a very well defined and salient description of what cyberwar is the instantiation of a military function to protect us from it is inherently dangerous. Most ‘cyberwar’ bears no resemblance to war of any kind. It is crime. It is speech. It is abuse. But it does not require a military response, it requires something else entirely.

This is getting a bit more subjective, but I much prefer the Zune Marketplace. The interface is colorful, has more flair, and some cool features like ‘Mixview’ that let you quickly see related albums, songs, or other users related to what you’re listening to. Clicking on one of those will center on that item, and another set of “neighbors” will come into view, allowing you to navigate around exploring by similar artists, songs, or users. Speaking of users, the Zune “Social” is also great fun, letting you find others with shared tastes and becoming friends with them. You then can listen to a playlist created based on an amalgamation of what all your friends are listening to, which is also enjoyable. Those concerned with privacy will be relieved to know you can prevent the public from seeing your personal listening habits if you so choose.

noticed, a long time make a note of. Well another article that will work out just fine. I need it for a project, lucky it has a similar theme as the one here. I am relieved that I found it, happy trails.

The problem is they can’t. There is some software that will show some sort of alert if you linger around an area too long. That’s the time they watch and make sure you aren’t stealing. Most thieves are caught because an employee saw them or security happened to see them on camera. The people who plan things out and are quick get away.

You think that’s bad? I went to Salou a couple of years ago, and Stansted was bulging with people wearing Super Dry and Henley’s t-shirts and hoodies, especially the ones going to the costa del sol and Barcelona. Laughed at your take on middle-age women reading Martina Cole, while looking around sneakily to see if they are being watched, or even ‘admired’ (you’ve got it to a T), and what makes it worse, they plaster on make up, taken out of a ‘bum’ Gucci bag. I always thought the Spanish smile at us out of respect when we pass through a check out in their country. Who knows – it may be, but I bet they have a phrase all their own when dealing with the weirdies who are wearing their fake Rolexes and Armani gear!